vaultwarden/issues/LICENSE-TRIAGE-2025-11-10.md

License triage summary (2025-11-10)

Summary

This short report summarizes the top remaining license failures reported by cargo-deny after temporary allowlist adjustments and initial experiments.

Top offenders (extracted from docker/audit/output/license_triage_2025-11-09.csv):

• webauthn-rs family (MPL-2.0):

  • webauthn-rs v0.5.3 (direct dependency)
  • webauthn-rs-core v0.5.3
  • webauthn-rs-proto v0.5.3
  • webauthn-attestation-ca v0.5.3
  • base64urlsafedata v0.5.3

• webpki-roots (CDLA-Permissive-2.0):

  • webpki-roots v1.0.3 pulled via hyper-rustls v0.27.7 -> reqwest v0.12.24 -> openidconnect v4.0.1 (and also via opendal/yubico_ng).

Counts and impact

• cargo-deny reported 7 license errors in the most recent run. The list above represents the full set of failing crates.

Short remediation guidance

• webauthn-rs: direct dependency. Options: (a) upgrade (if a permissively licensed version exists), (b) replace with an alternative WebAuthn crate, or (c) vendor minimal functionality. Immediate step: contact upstream and search for forks/relicensing.
• webpki-roots: transitive via the TLS/HTTP stack. Options: (a) coordinated upgrade of reqwest/hyper-rustls/openidconnect or (b) switch TLS backend/features to avoid webpki-roots.

Artifacts

• Full diagnostics and experiment artifacts: docker/audit/output/ (files: *_deny.err, *_deny.json, *_build.err).

Next steps

1. Owner assignment and tasking in PR checklist (see draft PR #2).
2. Continue coordinated upgrades for reqwest chain and attempt to upgrade/replace webauthn-rs.
3. Remove temporary allowlist once all offenders are resolved.